We have posted on numerous cases involving data breach plaintiffs who are rebuffed by courts because they have not suffered cognizable harm such as out-of-pocket losses. A pair of recent cases involved businesses whose bank accounts were drained after their log-in credentials were compromised and who sued their banks for the resulting out-of-pocket losses. In one case, the court finds for the customer; in the other, it finds for the bank. (Standing was not an issue in either case, since the plaintiffs suffered out-of-pocket losses.)

Experi-Metal was a victim of a phishing attack, which led to unauthorized wire transfers of $1.9+ million from its bank accounts. Comerica recovered all but $560,000 of this amount, and Experi-Metal sought to hold Comerica liable for this remaining amount. Following a bench trial, the court concludes that Comerica did not act in good faith–i.e., did not observe “reasonable commercial standards of fair dealing.”

Here is how the court recounts the phishing incident:

During the morning of January 21, 2009, Comerica was alerted to phishing e-mails sent to its customers by a third-party attempting to lure the customers into providing their confidential identification information . . . . Mr. Kind, Experi-Metal’s Vice President of Manufacturing, forwarded [the phishing e-mail he received] to Mr. Maslowski [its controller]. The e-mail instructed the recipient to click on an attached link to complete a “Comerica Business Connect Customer Form.” At approximately 7:35 a.m., Mr. Maslowski clicked on the link and was directed to a website where he responded to a request for his confidential secure token identification, Treasury Management Web ID, and login information. By doing so, Mr. Maslowski provided a third-party with immediate online access to Experi-Metal’s Comerica bank accounts from which the individual began initiating wire transfer payment orders . . . .

Whether Maslowski was authorized to initiate wire transfers: Experi-Metal first argued that Maslowski was not authorized to initiate wire transfers so the bank should not have processed the requests. The court rejects this argument, finding that on numerous documents, the CEO of Experi-Metal designated appropriate “users,” for Experi-Metal’s Comerica account, and these documents included herself and Mr. Maslowski. The court finds that the CEO’s explanation regarding Maslowski’s lack of authority wasn’t credible. He had the password and, in the aftermath of the phishing incident, the CEO did not raise a hue and cry about why he had the password.

Whether Comerica processed the payment orders in “good faith”: Michigan’s version of the Uniform Commercial Code allows the bank to get off the hook for unauthorized wire transfer orders if (1) the bank and customer agree to a security procedure for verifying payments; (2) the security procedure is commercially reasonable; and (3) the bank accepts the orders in “good faith.” Even if these conditions are satisfied, the customer may shift the loss to the bank if the customer can show that “the person committing the fraud did not obtain the confidential information [facilitating the breach of the security procedure] from an agent or former agent of the customer or from a source controlled by the customer.”

The parties agreed that the burden fell on Comerica to prove that it accepted the payment orders “in good faith.” Both sides presented expert testimony on the issue of whether Comerica’s acceptance and processing of the unauthorized wire transfers comported with industry or commercial standards. The court does not give much credence to the testimony of either party’s expert. Ultimately the court concludes, based on a variety of facts that Comerica failed to satisfy its burden:

the volume and frequency of the payment orders and the book transfers [from one Experi-Metal account to another] that enabled the criminal to fund those orders; the $5 million overdraft created by those book transfers in what is regularly a zero balance account; Experi-Metal’s limited prior wire activity; the destinations and beneficiaries of the funds; and Comerica’s knowledge of prior and . . . current phishing attempts.

Based on these facts, the court concludes “that a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier.”

In this case, unknown third parties initiated a series of withdrawals from Patco’s account with Ocean Bank over the course of several days. The withdrawals totaled $588,851, and of this amount Ocean Bank blocked $243,406 of the transfers. Patco sought to hold Ocean Bank liable for the remainder. The person who initiated the transfers obtained Patco’s credentials:

The Bank authenticated [the initial unauthorized transfer] with Patco’s company ID and password and [Patco’s] proper credentials, including [an authorized user’s] ID, password, and answers to challenge questions. Whoever initiated this transaction did not submit an incorrect password or answers to challenge questions even once.

The court focused on whether the security procedures employed by Ocean Bank were “commercially reasonable” (as in the Comerica case, the court looked to the UCC and the state law version of the relevant provision). In a 70 page opinion which includes discussion of the perspectives of competing experts, industry practices, and alternative security measures, the court concludes that the bank’s procedures may not have been perfect, but were commercially reasonable. As summarized by Brian Krebs (“Court: Passwords + Secret Questions = ‘Reasonable’ eBanking Security“):

The magistrate analyzed whether the bank’s security satisfied “multi-factor authentication” guidelines by incorporating at least two of three checks: Something the user knows (such as a password), something the user has (such as the passcode generated by a one-time token); and something the user is, such as a biometric identifier. (Those guidelines were established in 2005 by banking regulators at the Federal Financial Institutions Examination Council (FFIEC).)

The magistrate judge said the bank’s security satisfies these guidelines. Patco argued that the fraud was caused by keylogging software and the bank’s security measures (its “rules” for when it would look into suspicious transfers and how it deployed its authentication procedures) were commercially insufficient to deal with this type of risk. Patco faced a bit of an uphill on this point because it failed to preserve the evidence in its computers–i.e., Patco did not immediately stop using them and allow them to be forensically examined.

___

Both cases had a few things in common. First, the actual breach happened on the user’s end–there was no allegation that a criminal broke in to the bank’s computer system and siphoned money out of it. Regardless, this did not preclude the claims in either case. Second, in both cases, the bank’s customers were limited by the agreements in question. Although the agreement did not totally preclude Experi-Metal’s claim, it undermined Experi-Metal’s argument that the individual employee who was the victim of the phishing attack was not authorized to undertake wire transfers. I’m willing to bet the plaintiffs in both cases did not carefully review the voluminous documents and updates provided by their respective banks as to matters such as account security, authorized signatories, and loss prevention. In both cases, the parties entered into agreements which were “updated” by the banks numerous times, often via email notice or notice via the bank’s online interface for online banking.

The court’s conclusion in Comerica was very Solomonic: “I’ve taken in all of the evidence and here is my judgment.” The court does not give much credence to either expert. In contrast, the court in Patco goes into mind-numbing detail about the processes, industry standards, and the contentions of the experts.

These decisions are both good wake-up calls to businesses about their exposure to security risks and limits on their ability to outsource losses to third parties. Both plaintiffs were small business who suffered relatively significant out-of-pocket losses, and it probably came as a surprise that there is no legal mechanism to shift the losses to the banks. From reading through both orders, you get the sense that neither the bank nor the customer is particularly well situated to prevent the losses in question. (Undeniably, some additional training and education at the customer end could have potentially averted these losses, but it’s tough to say.) This looks like the type of loss where insurance would be well worth exploring, to the extent it is available. I wonder if we will eventually see federal legislation that sets minimum standards here.